Re: How to access the raw data collected by Splunk...

sc2019 · ‎08-29-2019

I want to access the log files from Web servers, Micro Services, by protocol (HTTP, SOAP, FTP, etc.) or Databases.
What are the aggregates which Splunk avails to user via the Splunk interface? (We know about volumes and response time but would like to know other protocols like return codes, etc.)

solarboyz1 · ‎08-29-2019

Splunk takes the raw data an indexes it, you can then run searches against the data.

You can access the data by running searches in Splunk, which can be done via the REST API:
https://dev.splunk.com/restapi

The following is a list of the aggregate functions that can be used:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats

Via rest, you could run a basic search like "index=*" , which would return the raw events.

You use the stats functions against fields in the data, "index=* | stats sum(kb) as "kb sent" by host"

What aggregates you can calculate will depend on the data you have, and what fields are available.

Splunk has several add-on available for parsing and reporting on data from common tools, systems, etc..

somesoni2 · ‎08-29-2019

I suggest you start from here:(Splunk Search Tutorial) https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Startsearching.

If you still have question about specific query/report that want to generate, then provide little more detailed requirement, sample data and expected output.

How to access the raw data collected by Splunk?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...